Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring firewall within subnet

Status
Not open for further replies.
seudonimo

seudonimo

Technical User
Jul 26, 2005
5
0
0
GB
I have used a firewall which can be installed as a "break" within a subnet. It detects which IPs are inside, and which are outside, and bridges between the two. This means a firewall (including a second firewall in series) can be added without disturbing assigned IP addresses.

Three questions
1. Is there a technical name for this sort of thing, which would be more expressive than my stumbling attempts to describe what it does.

2. Looking over the Cisco PIX documentation, it doesn't seem to do this. It seems that it has to be set up as a router, potentially requiring an extra range of IP addresses. Am I correct?

3. (If not inappropriate for this forum) Are there other inexpensive (<$600) hardware firewalls that will operate in this mode?
 
Sort by date Sort by votes
If all you're trying to do is break up a broadcast subnet into two smaller subnets, there are much easier/cheaper ways to do that than a firewall. Any router with two ethernet ports should do the trick -- with static routing for

subnet A <-> subnet B

If you have a vlan capable layer 3 switch, all the better.
 
Upvote 0 Downvote
Thanks for the reply. No, I really do want to add a firewall without having to re-IP anything.

In fact, though it shouldn't make a difference, what I want to do is add a second firewall in series, for
(a) extra peace of mind coming from using two different manufacturers
(b) a recovery plan for when one firewall fails (remove it, leaving the other one).
 
Upvote 0 Downvote
Maybe I'm asking the wrong question. I'll describe in more detail what I have.

I have a single class C range, and all machines are assigned an address in that range, including the router. Currently using a 3Com OfficeConnect Firewall, which takes a single IP address, despite having "in" and "out" connections.

My aim is to add more firewall protection, without major network unheavals. In an ideal world, two firewalls in series, either of which can be removed, without any reconfiguration, in the event of a failure.

The Cisco firewall, also a Netgear and D-Link firewall I have read the manual for, all seem to need to run as a router. As I see it, that means I would need to do some radical work on the net, at least reconfiguring every IP, perhaps getting a new IP range, or using NAT and/or DHCP.

What are my choices? Anything else run like the 3Com box? (I'd rather not get two identical boxes, as that doesn't really add any protection.)
 
Upvote 0 Downvote
I've now found out that the popular term for this is "transparent firewall". Research suggests that the Cisco IOS can do this, but the Cisco PIX cannot. Also that some ZyWall firewalls can do this, and home grown OpenBSD firewalls can.
 
Upvote 0 Downvote
I believe the Pix firewall can go into Bridge Mode in the 7.0 IOS release. What model Pix do you have?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
111
acabezas2014
acabezas2014
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
101
hairlessupportmonkey
hairlessupportmonkey
mattbarkerlfc
  • Locked
  • Question
Checkpoint 2200 subnet overlap problem
Replies
0
Views
62
mattbarkerlfc
mattbarkerlfc
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
70
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
66
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top